In November 2011, Valve admitted that its Steam forums were hacked, and some user data including encrypted credit card information and hashed passwords were stolen, and that pending investigation, it asked users to change their Steam passwords. Valve noted that at that time, it had not seen any evidence of encrypted data being hacked. Today, Valve issued an update to all its Steam members via e-mail, where it notified them that investigation is still in progress, that Valve is taking help of external agencies to investigate, and that it still sees no evidence of encrypted credit card data being tampered with. As a note of caution, though, it asked users to keep an eye on their credit card activity and statements.

The transcript of Valve's email to Steam users follows.

Dear Steam Users and Steam Forum Users

We continue our investigation of last year's intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.

Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.

We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it's a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.

We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.

That credit card data is encrypted to hell and back--very little chance they will be able to unencrypt it and reassemble it. It is possible but, at best, they'll get just a handle of cards--definitely not all the users.

The only kind of purchase that won't overdraw your account is if it's swiped physically. Making purchases online and EFT's will still overdraw your account. How do I know? I accidentally overdrew my account with an online purchase even though I used my debit card. They refunded me the charge because of a misunderstanding, but the new regulation clearly states it only prevents overdraws from an actual swipe of the card.

Edit: Also, as far as I know this is a standard regulation set down by the government. It's part of the opt-in/opt-out overdraw legislature.

The only kind of purchase that won't overdraw your account is if it's swiped physically. Making purchases online and EFT's will still overdraw your account. How do I know? I accidentally overdrew my account with an online purchase even though I used my debit card. They refunded me the charge because of a misunderstanding, but the new regulation clearly states it only prevents overdraws from an actual swipe of the card.

Edit: Also, as far as I know this is a standard regulation set down by the government. It's part of the opt-in/opt-out overdraw legislature.

Click to expand...

That depends on the bank. I have my account set up the same as you, however, my bank will not allow it to get overdrawn regardless of whether iys physically swiped oe used online. Only caveat, any auto payments will still go through. Auto payments such as a recurring bill that comes out that you specifically setup through the bank. Steam and paypal do not apply to the autopay definition..